什么是“查询参数”在C ++中? [英] What is a "query parameter" in C++?
问题描述
我们正在使用stringstream来准备C ++中的select查询。但是我们强烈建议使用QUERY PARAMETERS来提交db2 sql查询以避免使用stringstream。任何人都可以分享C ++中查询参数的意思?另外,请分享一些实用的示例代码片段。
We were using stringstream to prepare select queries in C++. But we were strongly advised to use QUERY PARAMETERS to submit db2 sql queries to avoid using of stringstream. Can anyone share what exactly meant by query parameter in C++? Also, share some practical sample code snippets.
提前了解帮助。
编辑:是stringstream而不是strstream。
It is stringstream and not strstream.
谢谢,
Mathew Liju
Thanks, Mathew Liju
推荐答案
p>我怀疑这通常是指参数化查询,而不是在字符串中构造查询,它们提供sql变量(或参数),然后分别传递这些变量。这些更好地处理SQL注入攻击。以示例说明:
I suspect this refers to parameterized queries in general, rather than constructing the query in a string, they supply sql variables (or parameters) and then pass those variables separately. These are much better for handling SQL Injection Attacks. To illustrate with an example:
"SELECT * FROM Customers WHERE CustomerId = " + _customerId;
不好,而这样:
"SELECT * FROM Customers where CustomerId = @CustomerId"
好。捕获是你必须将参数添加到查询对象(我不知道如何在C ++中完成。
is good. The catch is that you have to add the parameters to the query object (I don't know how this is done in C++.
引用其他问题:
- http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
- 存储过程与参数化查询
- http://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks
- Stored Procedures vs Parameterized Queries
Wild Wild Web:
Wild Wild Web:
- http://www.justsoftwaresolutions.co.uk/database/database-tip-use-parameterized-queries.html
这篇关于什么是“查询参数”在C ++中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!